The Keystone Federation in OpenStack Kilo

melissa •
May 29, 2015 •
No Comments

Keystone is one of the key components of any OpenStack deployment. In short, Keystone takes a look at everyone logging into the OpenStack cloud, and answers two very important questions: “Who are you?” and “What can you do?”. It is critical for Keystone to be deployed in a highly available manner in each OpenStack deployment, as each project will always check with Keystone to answer those two very important questions. On a side note, Keystone is also one of my favorite project names, following Cinder and Ironic.

The Keystone Federation
There’s a number of situations where we may have multiple OpenStack clouds in my enterprise environment. Perhaps there’s been a recent merger, and now we’re going to need to to allow users to connect to multiple OpenStack clouds across organizations. Or maybe the research department has their own IT staff, and thus their own OpenStack cloud, but would like certain general business users to consume their services. Whatever the reason, until Kilo, this wasn’t an easy feat. Sure, we could have a separate login for each OpenStack cloud, but that doesn’t really do much for our users’ experience.

Joining the Keystone FederationBeginning your journey to the federation isn’t difficult at all, as long as you’re using the Kilo release of OpenStack. There will be some changes to the keystone.conf file in the environment to enable federation. Don’t forget to make sure Keysone knows about all the Horizon URLs, and Horizon knows about all your Keystone deployments, and to use version 3 of Keystone.

The Federation is Enterprise Friendly
The ability to federate Keystone definitely helps OpenStack down the path of enterprise readiness. LDAP, or Lightweight Directory Access Protocol is a directory service protocol commonly found in Microsoft Windows environments. LDAP is the mechanism that connects to Active Directory (AD), or Microsoft’s directory that includes users, groups, as well as the various rights they contain. AD is often the Enterprise answer to “Who are you?” and “What can you do?”.

One Big Happy Cloud
Federated Keystone allows for one big happy cloud across multiple environments that weren’t able to communicate before. Taking things a step further, and closer to the enterprise world, there were a couple of announcements made on the first day of the OpenStack Summit. First, we can look forward things being “OpenStack Powered”, for real. To be OpenStack Powered, OpenStack products such as distributions, public clouds, and hosted private clouds must meet interoperability standards, as well as support federated Keystone. To support this effort, the OpenStack Marketplace has been created, and provides a great starting point for anyone who’s trying to pick OpenStack components for deployment within their organization.

The second part of the announcement was a laundry list of companies who have announced they will support Federated keystone. The 32 companies on the list have many names we have become familiar with in the cloud space, such as Cisco, Mirantis, and Ubuntu. Be sure to check out the announcement for the full list.

We talked a little bit about why federated Keystone may be important to some organizations, to allow access to OpenStack clouds in side of the house, but what about the outside? More and more organizations have begun to adopt hybrid cloud strategies for a multitude of reasons. Perhaps they have data that needs to remain on premises, but other data that will benefit greatly from the ability to burst compute resources in the cloud. Perhaps there are some applications that are so resource intensive, it is actually cheaper to run them on premises. Hybrid cloud is becoming a very real environment within many organizations.

With the Kilo release of OpenStack, we will see many more organizations Joining the Keystone Federation, and creating new clouds Powered by OpenStack. Keystone federation across hybrid cloud environments will provide organizations an unparalleled seamless user experience, wherever their apps may be living at the moment.